During the recent DEF CON 33 security conference, industry experts Yair and Shahak Morag from SafeBreach Labs unveiled a groundbreaking category of denial-of-service (DoS) attacks, which they have aptly named the “Win-DoS Epidemic.” Their research reveals a concerning vulnerability landscape, demonstrating how attackers can incapacitate any Windows endpoint or server, including critical domain controllers (DCs). Furthermore, they highlighted the potential to weaponize public DCs, effectively creating a large-scale Distributed Denial-of-Service (DDoS) botnet.
Key Vulnerabilities Uncovered
The Morag duo presented their findings, which encompass four significant Windows DoS vulnerabilities and a DDoS attack method that can be activated without any user interaction. These vulnerabilities, all categorized as “uncontrolled resource consumption,” include:
- CVE-2025-26673 (CVSS 7.5): A high-severity denial of service vulnerability in Windows LDAP.
- CVE-2025-32724 (CVSS 7.5): A high-severity DoS vulnerability in Windows LSASS.
- CVE-2025-49716 (CVSS 7.5): A high-severity DoS vulnerability in Windows Netlogon.
- CVE-2025-49722 (CVSS 5.7): A medium-severity DoS vulnerability in the Windows print spooler, necessitating an authenticated attacker on an adjacent network.
A successful DoS attack on a domain controller can paralyze an entire organization, preventing users from logging in, accessing resources, or conducting everyday operations. The researchers emphasized, “Introducing the ‘Win-DoS Epidemic’: DoS tools that exploit four new zero-click Win-DoS vulnerabilities and one Win-DDoS! They crash any Windows endpoint/server, including DCs, or launch a botnet using public DCs for DDoS attacks. The epidemic has begun.”
Domain controllers are pivotal to enterprise networks, managing authentication and centralizing user and resource management. This latest work builds on the researchers’ previous discovery of the LdapNightmare vulnerability (CVE-2024-49113), which was the first public DoS exploit targeting a Windows domain controller. The new findings significantly broaden the scope of this threat, extending beyond LDAP to exploit other essential Windows services.
This alarming behavior enables an attacker to leverage the vast resources of tens of thousands of public DCs worldwide, transforming them into a colossal, free, and untraceable DDoS botnet. Notably, this attack method requires no specialized infrastructure and leaves no forensic traces, as the malicious activity emanates from the compromised DCs rather than the attacker’s own system.
The most concerning revelation is the new DDoS technique, referred to as Win-DDoS. This attack capitalizes on a flaw within the Windows LDAP client referral process. Typically, an LDAP referral directs a client to another server to fulfill a request. However, Yair and Morag discovered that by manipulating this process, they could redirect DCs to a victim server, and crucially, they found a method to cause the DCs to continuously repeat this redirection. This technique signifies a notable evolution in DDoS attacks, facilitating high-bandwidth, high-volume assaults without the usual costs or risks associated with establishing and maintaining a botnet.
Redazione
The editorial team of Red Hot Cyber comprises a collective of individuals and anonymous sources dedicated to providing timely information and insights on cybersecurity and computing at large.
